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Strand spaces are a popular framework for the analysis of security protocols. Strand spaces have 
some similarities to a formalism used successfully to model protocols for distributed systems, 
namely multi- agent systems. We explore the exact relationship between these two frameworks 
here. It turns out that a key difference is the handling of agents, which are unspecified in strand 
spaces and explicit in multi-agent systems. We provide a family of translations from strand spaces 
to multi-agent systems parameterized by the choice of agents in the strand space. We also show 
that not every multi-agent system of interest can be expressed as a strand space. This reveals a 
lack of expressiveness in the strand-space framework that can be characterized by our translation. 
To highlight this lack of expressiveness, we show one simple way in which strand spaces can be 
extended to model more systems. 
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1. INTRODUCTION 

Strand spaces [Thayer et al. 1999b] (THG from now on) have recently emerged 
as a popular framework for the analysis of security protocols. Roughly speaking, 
the strand space corresponding to a protocol is the set of the traces of the various 
interactions between the principals under consideration. Using strand spaces, we 
can reason about the secrecy of the values exchanged between principals and infer 
authentication properties. One limitation of the strand-space approach is that it 
assumes that all the information available to a principal is either supplied initially or 
contained in messages received by that principal. However, there is other important 
information that may also be available in a security setting. For example, an 
adversary may have information about the protocol(s) being used. Moreover, if the 
same agent is playing different roles, then it may be able to combine information 
it gathers in its various roles. This information can be captured precisely using 
a formal model of knowledge. Indeed, the multi-agent systems framework used to 
represent the knowledge and belief of agents has been used quite successfully to 
reason about distributed protocols (see [Fagin et al. 1995] for intuition, details, 
and examples). This framework is based on a notion of runs; a run is a complete 
description of what happens over time in one possible execution of the system. 
Early attempts at applying the multi-agent systems framework to reasoning about 
cryptography and security (cf. [Gray III and Syverson 1998; Halpern et al. 1988]) 
suggest that these notions of knowledge and belief can be an important component 
in reasoning about security, the BAN logic being an example in that particular 
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direction [Burrows et al. 1990]. Essentially, the idea is simply that information 
can be derived in protocols not just through the messages being exchanged, but 
through general properties of the system. Our current project is to define a multi- 
agent systems framework suitable for reasoning about security using notions such as 
knowledge and belief. On the other hand, strand spaces have been used successfully 
to reason about security protocols. Since there are similarities between the two 
approaches, it is worthwhile to see how much of the strand-space approach can be 
carried over to multi-agent systems and vice versa. This forces us to investigate 
in detail the relationship between the two approaches. That is the purpose of this 
paper. 

The key issue in relating the two frameworks is the handling of agents. For our 
purposes, an agent is an entity (a principal, a process, etc.) that can participate in 
interactions. This notion of agent is general enough to capture different intuitions, 
depending on the kind of system being analyzed. Typically, an agent corresponds 
to a system-independent entity such as a principal on behalf of whom interactions 
are performed. For our purposes, what matters is that an agent has a state that is 
shared across all the interactions that the agent performs. In multi-agent systems, 
there is a clear notion of an agent participating in an interaction. In strand 
spaces, there is not. Each protocol interaction (described by a strand) is viewed as 
independent from all others. In fact, each strand can be viewed as representing a 
different agent. This approach to modeling agents is deliberate in the definition of 
strand spaces, and gives a theory that yields general results. Strand spaces do treat 
agents, in a fashion, by essentially assigning to every strand a name representing 
the "agent" executing the strand; see, for instance, the description of NSL spaces 
by THG used to model the Ncedham-Shroeder-Lowe protocol. However, it is still 
the case that strands corresponding to the same "agent" can exchange values only 
through explicit communication, i.e. there is no shared state across the strands 
corresponding to the same "agent" name. For all intents and purposes, these strands 
may as well be assigned to different actual agents. 

To highlight the role of agents, we provide a family of translations from strand 
spaces to strand systems, a subclass of multi-agent systems that seem to capture 
the intuition underlying strand spaces. The translations are parameterized by 
an assignment from strands to agents. This assignment associates with a strand 
the agent performing the protocol interaction described by the strand. Such an 
assignment captures the intuition that different strands can potentially be executed 
by the same agent. 

Why is the role of the agents so significant? For the protocols considered by 
THG, it is not. On the other hand, it is clear from the work on BAN [Burrows 
et al. 1990] and other logics (for instance, [Stubblebine and Wright 1996; Syverson 
1990]), as well as the work on information flow [McLean 1994], that belief and 
knowledge are useful concepts when reasoning about security protocols. As we 
said earlier, there are a number of ways that an attacker can gain knowledge in a 
system. Certainly when an attacker intercepts a message, it learns the contents of 
the message. But it may learn much more if it knows the protocol being run. In 
addition, different principals representing the same attacker may be able to pool 
the information they have acquired. In any case, as soon as one talks about belief 
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or knowledge, there must be agents in the picture to which belief or knowledge 
is ascribed. One advantage of a multi-agent system is that it explicitly identifies 
agents and provides an easy way to ascribe knowledge to agents (see [Fagin et al. 
1995]). In the context of security, that means we are forced to reason about, for 
example, which principals represent the same agent or which ones may represent 
the same agent. (See [Grove 1995; Grove and Halpcrn 1993] for logics that carry 
out such reasoning explicitly and, in particular, distinguish between agents and 
their names.) 

Significantly, our translations are not surjective. Some strand systems are not the 
image of any strand space, regardless of the assignment of agents to strands. This 
is not just an artifact of our particular translation. Any translation from strand 
spaces to strand systems that preserves the message history of the agents, in a 
precise sense, cannot be surjective. Intuitively, this is because in a strand space we 
cannot say "either this sequence of events happens or that one does, but not both". 
This indicates a fundamental lack of expressiveness in the current formulation of 
strand spaces. 

One way to characterize this lack of expressiveness is by showing how strand 
spaces can be extended to be able to model arbitrary strand systems. We demon- 
strate one way of doing this by introducing a notion of conflict, specifying when 
two strands cannot both be part of the same run. We remark that the general 
properties of strand spaces proved by THG, such as the bounds on the penetrator, 
are still valid in these extended strand spaces. We believe that this notion of conflict 
becomes important when considering modern security protocols. Protocols such as 
SSL or TLS involve the selection of a subprotocol during the execution of a protocol 
instance. Since only one such subprotocol can be chosen, it is natural to use conflict 
to model this. 

Despite this lack in expressiveness, strand spaces arc quite successful at analyzing 
typical protocols, particularly authentication protocols. Intuitively, based on the 
discussion above, this should be due to those protocols not making any choice. We 
formalize this intuition by exhibiting a property of protocols that ensures that a 
strand system generated from a protocol with such a property (using established 
techniques) is in fact the image of a strand space under the natural translation. 

The rest of this paper is structured as follows. In Section 2, we review strand 
spaces and multi-agent systems. In Section 3, we present the translation from 
strand spaces to strand systems. In Section 4, we discuss the problem of translating 
a strand system into a strand space, and show why in general we cannot perform 
the translation faithfully. In Section 5, we describe an extension to the strand space 
framework that is equivalent in expressive power to strand systems. In Section 6, 
we discuss the generation of systems from protocols. We interpret our results in 
Section 7. The proof of all technical results can be found in the Appendix. 



2. THE FRAMEWORKS 

In this section, we review the two frameworks we want to relate, the strand-space 
framework of THG, and the multi- agent systems framework [Fagin ct al. 1995]. 
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2.1 Strand spaces 

Let M be the set of possible messages that can be exchanged by the principals in 
a protocol. 2 A signed term is a pair (a, u) with a G {+, — } and u G M. A signed 
term (+, u) represents the sending of message u and is typically written +u, and 
a signed term (—,u) represents the reception of message u and is typically written 
—u. We write (±M)* for the set of finite sequences of signed terms. A strand space 
over M consists of a set £, whose elements are called strands, together with a trace 
mapping tr : S — > (±M)*, associating each strand in S with a sequence of signed 
terms. We typically represent a strand space by the underlying set S, leaving the 
trace mapping implicit. 

In a strand space S, a node is a pair (s,i), with s G S and an integer i with 

1 < i < |ir(s)|. The set of nodes of E is represented by A/". We say the node (s,i) 
belongs to the strand s, and sometimes abuse notation by writing (s, i) G s. Given 
a node n = (s,i), where tr(s) = (<7i, Ui) . . . (<Tfc, Uk), define term(n) = (o"j,Uj). If 
ni and n 2 are nodes, we write m — » n 2 if tcrm(ni) = +u and tcrm(n 2 ) = — u; 
we write m =4> n 2 if both m and n 2 occur on the same strand s and m = (s,i) 
and n 2 = (s,i + 1). Note that the set M of nodes together with both sets of edges 
m — > n 2 and rii n 2 forms a directed graph (A/", U =>)). 

Strand spaces are aimed at reasoning about the security of systems in the pres- 
ence of a hostile penetrator with various capabilities. In order to model such a 
penetrator, a notion of an infiltrated strand space is defined by THG; the infiltrated 
strand space contains both regular strands and a set of so-called penetrator strands 
that represent the actions available to a penetrator. For the purposes of this paper, 
there is no need to distinguish penetrator strands from regular strands, so we do 
not consider infiltrated strand spaces. 

A bundle represents a snapshot of a possible protocol execution. For a given 
strand space S, let B = (Mb, (— >b U =>b)) be a subgraph of (A/", (— ► U =>))■ The 
graph B is a bundle if 

Bl. B is finite, 

B2. if n 2 G Mb and term(n 2 ) is negative, then there is a unique ni such that 

m >b n 2 , 

B3. if n 2 G Mb and m => n 2 , then m n 2 , 
B4. B is acyclic. 

In B2 and B3, because B is a graph, it follows that m G A/s. We say a node n is 
in the bundle B if it is in Mb ■ 

It will be useful for us in this paper to allow infinite bundles. An infinite 
bundle is just a subgraph of (M, (— ► U =>)) that satisfies B2-4 (that is, we no 
longer require the finitencss condition Bl). The height of an infinite bundle is 
the length of the longest finite sequence of nodes m, n 2 , n 3 , . . . , rife in _B such that 
ni ~> n 2 ~> . . . rifc, where is cither — > or =>. (A bundle can have infinite 
height if there is no bound on the length of the longest sequence of this type.) Of 
course, all finite bundles have finite height. It is easy, however, to construct infinite 

2 The actual contents of the message and the structure of M are not important for the purpose of 
this paper. 
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bundles of infinite height (even if all individual strands have length at most 2). 
For example, consider the strand space £ = {si : i G Z}, with a trace mapping 
tr(si) = {—Ui, +Ui + i). The strand space X itself in this case is an infinite bundle 
of infinite height. All the arguments of THG which were applied to finite bundles 
go through without change for infinite bundles of finite height. (Indeed, they go 
through for infinite bundles that are well-founded, in the sense of having no infinite 
"descending" sequences of the form . . . ~> 77,3 ~» 77,2 ~> n\, although we end up 
using only bundles of finite height in our arguments.) 

2.2 Multi-agent systems 

In the multi-agent systems approach, every agent is assumed to be in some local 
state at each point in time. Given a set A of agents, we characterize a system over 
A at a given point in time in terms of a global state] this is a tuple (a a : a <E A), 
where a a is the local state of agent a. The local states of an agent intuitively encode 
all the information that the agent has available at a given point in time. In typical 
distributed systems applications, the local state includes the values of variables and 
a history of messages received. If we are modeling a group of agents playing a poker 
game, the local state may include the cards that the agent holds and the bets that 
have been made thus far. 

To capture changes to the system over time, we define a run of the system to be 
a function from time to global states. Intuitively, a run is a complete description 
of what happens over time in one possible execution of the system. A point is a 
pair (r, m) consisting of a run r and a time to. The global state r(m) describes 
the state of the system at the point (r, m) . Formally, we take a system to consist 
of a set of runs. Informally, the system includes all the possible executions of the 
system, that is, all the different ways it could evolve through time. 

Due to the assumptions made by the strand-space approach, namely that events 
in strands consist of sending and receiving messages, we consider only systems where 
the local state of an agent is the sequences of messages that the agent has sent and 
received. Thus, we deliberately ignore internal actions (or, more accurately, treat 
them as irrelevant). 

We can formalize the above description as follows. Consider a fixed set M of 
messages. A history for agent a (over M) is a sequence of elements of the form 
sent(u) and recv(u), where u G M. We think of sent(u) as representing the event 
"message u is sent" and recv(u) as representing the event "message u is received." 
Intuitively, a's history at (r, to) consists of a's initial state, which we take to be the 
empty sequence, followed by the sequence describing a's actions up to time to. If a 
performs no actions in round m, then its history at (r, m) is the same as its history 
at (r, m — l). 3 In such a message-passing system, we speak of sent(u) and recv(w) 
as events. For a € A, let r a {m) be agent a's history in (r, to). We say that an event 
e occurs in a 's history in round to + 1 of run r if e is in (the sequence) r a (m + 1) 
but not in r a (m). 

In a message-passing system, the agent's local state at any point is its history. 
Of course, if h is the history of agent a at the point (r, m) , then we want it to be 



3 Round m takes place between time m — 1 and time m. Actions are performed during a round. 
The effect of an action performed by agent a at round m appears in agent a's state at time m. 
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the case that h describes what happened in r up to time m from a's point of view. 
To do this, we need to impose some consistency conditions on global states. In 
particular, we want to ensure that message histories do not shrink over time, and 
that every message received in round m corresponds to a message that was sent at 
some earlier round. 

Given a set M of messages, we define a message-passing system (over M) to 
be a system such that for each point (r, m) and each agent a £ A, the following 
constraints are satisfied: 

MP1. r a (m) is a history over M; 

MP2. for every event recv(u) in r a {m) there exists a corresponding event sent(u) 

in 77, (ra), for some b £ A; 4 
MP3. r o (0) is the empty sequence and r a (m + 1) is either identical to r a (m) or the 

result of appending one event to r a (m). 

MP1 says that an agent's local state is its history, MP2 guarantees that every 
message received at round m corresponds to one that was sent earlier, and MP3 
guarantees that histories do not shrink. 

We think of strand spaces as completely asynchronous message-passing systems. 
Roughly speaking, strand spaces do not place any constraints on the relative order 
of events in different agents' histories beyond those imposed by MP1 and MP2. 
As argued in [Fagin et al. 1995, Section 4.4.6], we can capture such asynchrony 
by considering systems that consist of all runs satisfying MP 1-3 for some set of 
histories. Formally, we say that 1Z is a strand system if there exists a sequence 
(V a : a £ A), where V a is a set of histories over some set M of messages, such that 
1Z consists of all runs satisfying MP 1-3 where agent a's local state is a history in V a 
at every point. We call TZ the strand system generated by (V a : a £ A). Informally, 
the set V a specifies the possible histories agent a could have. The strand system 
generated by {V a ■ a £ A) consists of all runs satisfying MP 1-3 such that agent a's 
histories are in V a for all a £ A. 

Strand systems are closely related to the asynchronous message-passing systems 
(amps) defined in [Fagin ct al. 1995, Chapter 4]. The main difference is that for 
strand systems, messages are anonymous. A message does not specify a sender or 
a receiver. Messages in amps, on the other hand, are not anonymous. Events have 
the form sent(w, a, 6) (u is sent to a by b) and recv(w, a, 6) (u is received by b from a). 
The remaining differences are minor. Strand systems allow for an infinite number 
of agents, whereas in amps there are only finitely many agents. Amps can be easily 
modified so as to allow infinitely many agents. Moreover, agents are allowed in 
amps to have a nontrivial initial state, while for strand systems, the initial state is 
always the empty sequence. This was done for compatibility with the definitions of 
THG. 

3. TRANSLATING STRAND SPACES TO STRAND SYSTEMS 

In this section, we consider the problem of translating strand spaces into strand 
systems. We do this by formalizing the strand space intuition that bundles represent 

4 To simplify our translations, wc allow an agent to send a message to itself, so a and b can be the 
same agent. 
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snapshots of possible executions. Our construction derives the possible execution 
traces in terms of sequences of bundles, which are then used to construct the runs 
of the system. 

A multi-agent system requires an explicit set of agents; a strand space does not. 
To perform the translation, we specify a set A of agents and a particular agent 
assignment A : E — > A, which intuitively associates with each strand s £ E the 
agent A(s) executing s. In the generated strand system, an agent behaves as if 
it were concurrently executing the various strands assigned to it. The motivation 
behind this approach is that if the same agent is in reality executing many strands, 
then it should share its knowledge across all the strands it is executing. 

The choice of agents and the agent assignment for a given strand space is left 
to the model designer. Different choices lead to different multi-agent systems. As 
we show at the end of this section, associating a different agent with each strand 
enforces the basic strand space tenet that information is exchanged only through 
explicit messages, i.e. there is no shared state between different strands. 

The translation takes as arguments a strand space £, a set A of agents, and an 
agent assignment A from strands in E to agents. To define the translation, we first 
define a relation on bundles that represents the actions that the agents in the strand 
space can perform. Given a strand s £ E and a bundle B, let _B-hcight(s) be the 
largest i such that (s, i) G Mb- (We take £?-height(s) = if no node in s appears 
in B.) 5 A function / : E — > E respects A if A(s) = A(f(s)), that is, the same 
agent is associated with both strands s and f(s) for all strands s E E. If Bi,B 2 
are (possibly infinite) bundles of E, and / : E — > E is a bijection that respects A, 
we write B\ \—f B 2 if the following two conditions hold: 

(1) if (s,z) is in B\, then (f(s),i) is in B 2 and term((s,i}) = term((/(s), i)), 

(2) if (s,i) — > (s',j) is an edge in Bi, then (f(s),i) — > (f(s'),j) is an edge in B 2 . 

These clauses guarantee that the prefix of s that is in B\ is a prefix of the prefix 
of f(s) that is in B 2 . For example, if B\ consists of the single node (s, 1} and B 2 
consists of (s',1) and (s',2), where term((s, 1)) = tcrm((s', 1)), then B\ Qf B 2 , 
where / is the bijection that permutes s and s' , while acting as the identity on all 
other strands. 

For many cases of interest, we can simply take the bijection / to be the identity; 
in that case, B\ Qf B 2 if and only if B\ is a subgraph of B 2 . We discuss the 
reason for allowing arbitrary bijections and the role of the bijection at the end of 
this section. 

We write B\ i— ► B 2 if there is a bijection / : E — ► E that respects A such that 

(1) B 1 Q f B 2 , and 

(2) X)seA-i(o) B 2-height(/(s)) - Bi-height(s) < 1 for all agents a € A. 

Informally B\ B 2 if, for each agent a 6 A, B 2 extends the prefix of at most one 
strand in B\ corresponding to a, and extends it by at most one node. (Note that 
the strand f(s) in B 2 extending the prefix of strand s in B\ may be different from 
s, depending on the definition of /.) If B 2 does extend the prefix of one of the 

5 This notion of height of a strand in a bundle should not be confused with the notion of height 
of a bundle we defined in the previous section. 
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strands in B\ corresponding to agent a by one node, let e 0i s lH ^s 2 denote the event 
corresponding to that node: if the node is n and tcrm(n) = +u, then e a ,s 1M s 2 is 
sent(u), and if term(n) = —it, then e a ,B 1 ^B 2 is recv(u). We define a *—>■- chain (or 
simply a chain) to be an infinite sequence of bundles Bq,B\, . . . such that J3n is the 
empty bundle and Bo B\ . . . . 

Let Chains (£, A, A) be the set of all chains in S. We associate with every chain 
in Chains(T,,A,A) a run as follows: Given a chain C = Bo i— ► -Bi i— ► . . . and 
an agent a £ *4, define hist™(C) inductively. Let hist° a {C) = (); let hist™ +1 (C) = 
hist™(C) if no strand corresponding to agent a in B n is extended in B n+ \; otherwise, 
let hist n a +1 {C) = hist n a {C) ■ e a>Bn „ Bn+1 - (Informally, hist n a +1 {C) is the result of 
appending to hist™(C) the unique event performed by agent a in going from B n 
to B n+1 .) Thus, hist™(C) consists of all the events that a has performed in B n . 
Let r c be the run such that r° (to) = hist™(C) and let K(Y,A,A) = {r c : C <E 
Chains(T,,A, A)}. 

Theorem 3.1. fc(E,A,A) is a strand system. 

In light of Theorem 3.1, define the map Ta from strand spaces to strand systems 
by taking T A (£) = H(H,A, A). 

As we mentioned at the beginning of this section, we can model strand spaces 
as discussed by THG by taking the set of agents of a strand space E to be S, and 
taking the identity function id as the agent assignment. This captures explicitly 
the intuition that strands are independent protocol executions, that for all intents 
and purposes may be assumed to be executed by different agents. This is the case 
since there is no state shared between strands, and every communication is made 
explicit. In other words, there is no conceptual difference between two strands Si 
and S2 executed by different processes of an agent or by two distinct agents if there 
cannot be any shared state between si and S2- 

There is a small amount of information that is lost in the translation from strand 
spaces to strand systems, which will become evident in Theorem 3.2 below. This 
loss stems from the fact that messages in strand systems are completely anonymous. 
For example, if agent 2 and agent 3 both send a message u and later agent 1 receives 
it, there is no way in a strand system to tell if agent 1 received u from agent 2 or 
agent 3. By way of contrast, in a strand space, there is an edge indicating who agent 
1 received the message from. The multi-agent system framework can in fact keep 
track of who an agent received a message from by adding an additional component 
to the global state; this is the state of the environment, which intuitively describes 
everything relevant to the system not included in the local states of the processes. 6 
We will not bother going into the details of the environment in this paper, as the 
issue does not affect our results. We can characterize the information loss resulting 
from our translation by defining a relation between globals states of 72.(11, £, id) 
and bundles of E. We say that a global state (a s : seS) (recall that here A = £) 
is message-equivalent to a bundle B if for each s G S, if a s = (ei, . . . , efe) then 
-B-height(s) = k and, for each i such that 1 < i < k, if term((s,i)) = +u then 
is sent(u), and if term((s,i)) = — u then a is recv(u). Intuitively, a global state 

"In our particular case, the environment could record the sender of each message that is received 
at any given round. 
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is message-equivalent to any bundle that has the same nodes. This captures the 
intuition that an agent receiving a message is not aware of the sender. The following 
theorem shows that, except for this loss of information, our translation from strand 
spaces to strand systems essentially identifies bundles and global states (if we treat 
all strands as being associated with a different agent). 

Theorem 3.2. Every global state of 7£(E,E, id) is message-equivalent to a bun- 
dle o/£ of finite height, and every bundle o/£ of finite height is message-equivalent 
to a global state oflZ(T,, £, id). 

We remark that if the environment state is used to record the sender of each 
received message, Theorem 3.2 can be strengthened to a 1-1 correspondence between 
global states of 7?.(E, E, id) and bundles of E of finite height. 

With these results in hand, we now discuss some of the choices made, in par- 
ticular, why we allowed infinitely many agents, infinite bundles, and an arbitrary 
bijection / in the definition of i— ►. It turns out that these choices are somewhat 
related. First observe that, in Theorem 3.2, we identified each strand with an agent. 
Thus, if there are infinitely many strands in the strand space, the corresponding 
strand system requires infinitely many agents. Naturally, if we restrict our analysis 
to strand spaces with only finitely many strands, then we can take the corresponding 
strand systems to have only finitely many agents. Infinite bundles are needed in 
order to prove Theorem 3.1 when there are infinitely many agents. To understand 
why, consider a strand space E, where E = {si,S2, . . . } and tr(s n ) = (+u n ). In 
other words, strand s n has exactly one node, at which a send action is performed. 
If a different agent is associated with each strand, then in the corresponding strand 
system, the set of histories for agent n will consist of the empty history and the 
history (sent(u„)). The system based on this set of histories has a run where all 
the agents send their message simultaneously at round 1. This history corresponds 
to the infinite bundle consisting of all the strands in S. Intuitively, if all the agents 
can send a message, there is no reason that they should not all send it the first 
round. 

Why do strand spaces allow infinitely many strands? Often, security protocols 
rely on nonce values, which are values guaranteed to be unique within a run of the 
system. Strand spaces model nonce values by specifying a different strand for each 
possible value of a nonce. Since, theoretically, there can be infinitely many nonces 
(as a consequence of uniqueness), we typically have to consider infinitely many 
strands for a given protocol. Note that these strands do not necessarily represent 
computations of different agents. Indeed, it probably makes sense to consider them 
all as being performed by the same agent (but at most one of them being performed 
in a given execution of the protocol). 

The bijection / in C/ is not needed if a different agent is associated with each 
strand. (That is, in this case it suffices to take / to be the identity.) Similarly, 
/ is not needed if there is a bound k on the length of all strands in E. Indeed, 
it is needed only to take care of the possibility that there is an infinite sequence 
of strands, each intuitively a prefix of the next, and all associated with the same 
agent. For example, consider the strand space £ where, again, E = {si, s 2 , ■ ■ ■} but 
now tr(s„) = . . . , +u n ). Intuitively, in this strand space, s n is a substrand 

of s n+ i (although, formally, there is no notion of substrand in strand spaces). 
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Suppose that the mapping is such that A consists of one agent a\ and A as- 
sociates all the strands in £ with a\. If we did not allow such a map / (or, 
equivalently, required / to be the identity), then the only chains would be those 
of the form Bq i— > B\ \— ► . . . i— » Bk i— » Bk i— > i— > ... (for some finite &:), 
where, for some strand s, each _Bi is a prefix of s. If we apply our mapping to 
this collection of strands, in the resulting system, there is a single set of histo- 
ries V ai = {(sent(ui)), (sent(tii), sent(u2)), (sent(iti), sent(u2), sent^)), . . . }, where 
each history in V ai is finite. However, the system generated by this set of histories 
contains an infinite run, which sends message Uj at time i. Unfortunately, there is 
no chain corresponding to this run. On the other hand, once we allow nontrivial 
bijections /, there is no problem. Abusing notation somewhat, there is a chain of 
the form s± i— > S2 >— > S3 1— > . . . where ai's history is unbounded, since Sfc+ii 
where fk permutes Sk and Sk+i and is the identity on all other strands. 

Intuitively, if / must be the identity, then every chain must "choose" the strand 
it is executing, which implicitly corresponds to choosing how many messages to 
send in that particular run. By providing a function / that permits us to "jump" 
to strands with the same prefix between any consecutive bundles of a chain, we 
are essentially modeling an agent that does not choose the length of the strand up 
front, but rather just performs the actions (and thus, if one strand is a prefix of 
another, it cannot tell which of the two strands it is performing). 

While it is important to recognize these subtleties, they do not arise in most 
protocols. For instance, strands for specific protocols will typically be of bounded 
length, and therefore the bijection / is not needed to define chains in the corre- 
sponding strand space. 



4. TRANSLATING STRAND SYSTEMS TO STRAND SPACES 

In this section, we consider the translation of strand systems into strand spaces. 
Specifically, given a strand system 1Z, is there a strand space which maps to 1Z under 
a suitable agent assignment? In general, there is not. This result is not an artifact 
of our translation, but reflects a fundamental difference between strand spaces and 
strand systems. In particular, it does not depend on any of the subtleties that were 
pointed out at the end of last section. 

To understand the difficulties, consider the following simple system TZ\. It 
essentially contains two runs n and r2, with distinct messages x, y, u, v. 




Because the MP 1-3 assumptions on strand systems allow arbitrary delays between 
the events, there are more than two runs in the system; the essential fact is that, 
in any given run, agent 2 communicates only with agent 1 or only with agent 3. 
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Formally, 1Z\ is the strand system generated by taking: 
Vi = {(), (recv(u)), (recv(u), sent(u))}, 

V 2 = {(}, (sent(u)), (sent(x)), (sent(u), recv(v)}, (sent(x), recv(y))}, and 
= {()> (recv(a;)}, (recv(x), sent(y)}}. 

Under the mapping presented in the previous section, there does not exist a 
strand space that maps to this system, for any agent assignment. Intuitively, any 
strand space modeling the system TZi will need at least strands corresponding to 
runs 7"i and strands corresponding to runs r 2 . Since these sets of strands do not 
interact (that is, they do not exchange any message), the translation of Section 3 
will produce a system that contains runs that amount to all possible interleaving 
of the strands corresponding to r\ and ri. This results in a system that is strictly 
larger than For example, it must contain runs with the following histories for 
agents 1, 2, and 3: 

























\ 










'/ 



Roughly speaking, what is happening in the strand system is that agent 2 
nondeterministically decides whether to send message u to agent 1 or message x to 
agent 3. In any run of the system, it sends one or the other, but not both. The 
problem here is that, in the strand-space framework, we cannot say "one or the 
other, but not both" . 

To make this precise, given an agent assignment A, define a translation T from 
strand spaces to strand systems to be A-history preserving if, given a strand space 
S, 

— for each agent a e A, run r 6 T(E), and time m, there exists a bundle B in S 
such that the events in agent a's history r a (m) are exactly those that appear in 
nodes (s,i) in B such that A(s) = a; 

— conversely, for each agent a € A and bundle B of finite height in E, there exists 
a run r 6 T(E) and time m such that the events in agent a's history r a (m) are 
exactly those that appear in nodes (s, i) in B such that A(s) = a. 

Notice that the translation Ta defined in the previous section is A-history pre- 
serving. 
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Theorem 4.1. There is no agent assignment A and A-history preserving trans- 
lation T from strand spaces to strand systems such that the strand system IZi is in 
the image of T . 

The example above suggests that in general, systems arising from an agent 
running a nondctcrministic protocol may not be the image of a strand space under 
our translation. The problem in fact is more profound. Even if the agents are run- 
ning deterministic protocols, the nondeterminism inherent in the delay of messages 
delivery may prevent a system from being the image of a strand space. Consider the 
following system with two agents. Agent 1 sends a message u to agent 2. If agent 
2 hasn't received it yet, and hasn't sent a nack message yet, she sends a nack. 
When she gets message u, she sends an ack. Here, the strand space intuitively 
corresponding to this situation will include a strand for agent 1 where he sends 
u. For agent 2, we can consider at least the following two strands, (—it, +ack) 
and (+nack, —u, +ack) . One can check that there exists a chain leading to the 
bundle made up of the following strand prefixes: (+u), (—u,+ack), and (+nack), 
leading, through our translation, to a possible history for agent agent of the form 
(recv(u), sent(acfc), sent(nack)), which does not arise in the original system. In 
this example, the problem does not occur because the agent makes a choice, but, 
intuitively, because the "environment" is making a choice when delivering messages. 
We will revisit these issues in Section 6, when we study the generation of systems 
from protocols. 

5. EXTENDED STRAND SPACES 

In the previous section, we showed that not all strand systems correspond to strand 
spaces. More precisely, we showed that some strand spaces could not be in the 
image of any history-preserving translation. How reasonable is the requirement 
that a translation be history preserving? Suppose that T is a translation from 
strand spaces to strand systems that is "acceptable" in some sense. It certainly 
seems reasonable to require that if T(E) = 1Z, then the events in every history 
r a (m) that arises in 1Z correspond to events that agent a actually performed in 
some bundle. (Note that there is no need to consider infinite bundles here; if there 
is a bundle at all, it is finite.) Conversely, given a bundle B over S, it seems 
reasonable to require that there exists a history where a performs the same actions 
as it does in the bundle. 

So exactly why is there no strand space corresponding to the system TZi? Roughly 
speaking, given a strand space S, any set of strands that satisfies Bl-4 is a bundle. 
Thus, once certain bundles exist, others arc forced to exist too, including ones 
that do not correspond to any run in IZi. For example, once there is a bundle 
corresponding to "2 sends it to 1 and gets a response v" , and another bundle 
corresponding to "2 sends £ to 3 and gets a response y" , there has to be a bundle 
where 2 both sends u to 1 and sends x to 3. The strand-space framework cannot 
express "either this sequence of events happens or that one does, but not both" . 
As we now show, this is essentially the only impediment standing in the way of 
a translation from strand spaces to strand systems. We extend the strand-space 
formalism with a notion of conflict that allows us to prohibit certain strands from 
appearing together in the same bundle, and then show that such extended strand 
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spaces can model all strand systems. 7 

Define an extended strand space as a tuple (E, A, A, Conf) consisting of a strand 
space E, a set A of agents, an agent assignment A from strands to agents, and 
a set Conf = {Conf a : a E A} of symmetric relations, indexed by agents, such 
that Conf a C A -1 (a) x A^ 1 (a). The intuition is that if two strands si and S2 
corresponding to the same agent a are such that Conf a (s\, S2), then si and S2 
conflict; they cannot both appear in the same bundle of (E, A, A, Conf). Formally, 
it is sufficient to refine the definition of a bundle. If (E, A, A, Conf) is an extended 
strand space, a bundle B of (E, A, A, Conf) is, as in the case of standard strand 
spaces, a subgraph (Mb, [~^b U =>b)) 01 the strand space E, satisfying Bl-4 and, 
in addition: 

B5. if A(si) = A(s 2 ) = a and Conf a (s\, S2), then it is not the case that both 
_B-height(si) > 1 and 5-height(s2) > 1 (intuitively, if Conf a (s\, S2), then si 
and S2 cannot both appear in B). 

We can similarly define an infinite bundle as a subgraph satisfying B2-5; the notion 
of height remains unchanged. 

Clearly, every bundle in an extended strand space (E,A,A, Conf) is a bundle 
of S, since properties Bl-4 still hold. Moreover, properties such as the penetrator 
bounds proved by THG carry over to extended strand spaces. 

We now consider translations from extended strand spaces to strand systems 
and back. We first need to check that the construction of Section 3 that translates 
a strand space into a strand system applies to extended strand spaces. Since a 
bundle in an extended strand space is a bundle in the underlying strand space, 
we define the set Chains(Y,,A,A,Conf) as the subset of Chains (H, A, A) where 
each chain is taken over bundles in the extended strand space. As in Section 3, 
we can associate a run r c with every chain of Chains(T,,A,A,Conf), and we 
define ft(E, A, A, Conf) = {r c : C G Chains (Y,, A, A, Conf)}. The analogue of 
Theorem 3.1 can be proved. 

Theorem 5.1. 1Z(E,A, A, Conf) is a strand system. 

Therefore, extended strand spaces can be translated into strand systems in such 
a way that chains correspond to the runs of the system. We abuse notation and call 
this family of translations Ta as well, where A is an agent assignment (although 
now the domain of Ta is extended strand spaces over the agent assignment A). 
However, the maps Ta are now onto, and the following theorem holds. 

Theorem 5.2. Given a strand system 1Z over A, there exists an extended strand 
space (E, A, A, Conf) such that Ta(E, A, A, Conf) = TZ. 

Extending the strand space model with a notion of per-agent conflict relation 
is not the only way to extend the model to match the expressiveness of strand 

7 We do not want to imply that this is the only way to extend strand spaces to achieve this effect, 
nor do we claim that this approach is particularly original. Indeed, there is a vast literature in 
concurrency theory on the subject of implementing choice constructs in various formalisms; see, 
for instance, [Busi and Gorrieri 1994; Palamidcssi 1997]. Independently, Crazzolara and Winskel 
[2001] have noticed the same deficiency in strand spaces, and have derived a similar notion of 
conflict between strands. 
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systems. For instance, it is possible to introduce a more general form of conflict 
specifying that an arbitrary pair of strands in a strand space cannot appear in 
any bundle. This notion of conflict does not require the introduction of agents in 
the strand-space framework. On the other hand, this extension is actually more 
expressive than strand systems as defined in this paper. For example, it is possible 
to say that a particular history of agent 1 and another history of agent 2 do not 
occur in the same run, something which cannot be done in a strand system. While 
it is straightforward to augment strand systems to capture this stronger notion of 
conflict, it is not clear that such a notion is of particular interest. 

6. FROM PROTOCOLS TO SYSTEMS 

Up until now, we have assumed that our strand spaces and systems were simply 
given. This is the assumption typically made in the strand spaces literature. In 
practice, however, strand spaces and systems arise out of the agents executing 
protocols. In this section, we review the basics of how to derive a strand system from 
an explicit protocol. This is a straightforward application of the techniques of [Fagin 
et al. 1995]. We then explore, using this approach, why the strand spaces approach 
is successful when dealing with typical protocols, despite the restrictions pointed out 
in Section 4. Roughly speaking, the strand systems that are generated from typical 
protocols are images of strand spaces via our translation. In other words, typical 
authentication protocols do not lead to systems that cannot be expressed as strand 
spaces; these protocols do not make choices. This result is not surprising given our 
previous discussion in Section 4, but it does formally ground our intuition. (On 
the other hand, we should point out that modern security protocols often involve 
choosing subprotocols.) 

Intuitively, a protocol for agent a E A is a description of what actions a may take 
as a function of her local state. What actions are we to allow in our protocols? This 
question ties in with the computational model implicitly assumed by strand spaces. 
Notice that in strand spaces, the receiver of a message cannot be specified. Indeed, 
there is an edge n\ — ► n-i between all nodes of the form +u and — u. s Therefore, we 
will consider a model where a send action sends a message nondeterministically to 
any agent. The only other action we allow beyond send actions is a "do nothing" 
no-op action. (We could also incorporate other actions, such as choosing keys, 
or tossing coins to randomize protocols.) For simplicity, we take actions to be 
deterministic, although protocols themselves can be nondeterministic. In other 
words, we will not consider an action such as "send some nondeterministically 
chosen message u" , but rather a protocol chooses nondeterministically among the 
actions "send u\ \ "send etc. 

We can formalize this intuition as follows. Fix a set L a of local states for agent 
a (the local states that arise in some system) and a set ACT a of possible actions 
that agent a can take. A -protocol P a for agent a is a function that associates 
with every local state in L a a nonempty subset of actions in ACT a . Intuitively, 
P a (cr) is the set of actions that agent a may perform in local state a. Notice 



8 We could extend the notion of strand spaces to allow a specification of which — * edges should 
be included; we could also add a "tagging" mechanism to messages. However, our interest here is 
not in extending the strand space formalism, but in modeling strand spaces as defined by THG. 
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that a's actions can depend only on her local state. If P a prescribes a unique 
action for a at each local state, then P a is said to be deterministic. To consider 
the effect of all the agents' protocols on the global state of the system, define a 
joint protocol (P a : a E A) to be a tuple consisting of a protocol for each of the 
agents. A joint protocol maps a global state to a set of joint actions, where a 
joint action is a tuple consisting of an action in ACT a for each agent a. Define 
(P a : a G A){(a a :aeA)) = {a a :aeA,a a e P a (cr a )}- 

Joint actions transform global states. Their effect is captured by a transition 
function r mapping global states to sets of global states. 9 Given a joint protocol, 
a transition function, and a set of initial global states, we can generate a system 
in a straightforward way. Intuitively, the system consists of all the runs that are 
obtained by running the joint protocol from one of the initial global states. More 
formally, say that run r is consistent with joint protocol P given transition function 
t if it could have been generated by P, that is, for all m, r(m + 1) is the result 
of applying a joint action a that could have been performed according to protocol 
P to r(m). (More precisely, there exists a joint action a = (a a : a E A) such that 
a a € Pa{r a {m)) and r(m + 1) € r(a)(r(ra)).) For a joint protocol P, a transition 
function r, and a set of initial state /, let TZ(P, t, I) be the set of all runs r consistent 
with P given t such that r(0) E I. 

We saw in Section 2 that strand systems are asynchronous systems; they do not 
provide any guarantee either with respect to the time it takes to deliver a message, 
or with respect to the relative rates at which agents perform actions. We can 
capture this asynchrony by using an appropriate transition function. First, note 
that the only action in strand systems is that of sending a message. Also, the local 
states of an agent is its history. When agent a's component of a joint action a is 
a send(u) for some message u, r(a) may or may not actually send the message. If 
the message is not sent, the agent's local state is unchanged, and hence the agent's 
protocol will allow the message to be re-sent. A message can be delivered in any 
round after it is sent (and may never be delivered at all). To capture this, we use 
the strand transition function Tp of a joint protocol P, defined as follows: a global 
state {a' a : a E A) E rp((a a : a E A))((a a : a E A)) iff for all a E A, a' a is either a a , 
a a ■ sent(it) (only if a a = send(u)), or a a ■ recv(u) (only if sent(u) E a' b for some b). 
We can check that using the strand transition function does indeed yield a strand 
system. Note that in a strand system, each agent is assumed to start with an empty 
initial local state. Hence, we always take the set of initial global state to be In, 
which contains only the empty global state. 

Theorem 6.1. 1Z(P,t p ,I ) is a strand system. 

We now have all the machinery to explain why strand spaces can be suitable 
for modeling typical protocols found in the literature. (We say can because part 
of the suitability issue depends on the actual properties we want to prove, as we 
will discuss in Section 7.) What do we mean by "suitable for modeling"? We have 
described above how protocols generate systems in a natural way. Furthermore, we 



9 In [Fagin ct al. 1995], the transition function is taken to be a function from global states to global 
states. The nondeterminism inherent in our definition is avoided by taking an environment as an 
extra agent in systems. For simplicity, we have not considered environments in this paper. 
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saw in Section 4 that not every strand system arises as a translated strand space. In 
those cases, the most natural strand space allows bundles that do not correspond to 
states that actually occur in the system. A strand space is suitable as a model for a 
system if the translation of that strand space (under some agent assignment) yields 
the system. We interpreted our results of Section 4 as showing that strand spaces 
could not express choice (and other related forms of nondeterminism) . Hence, 
intuition would indicate that if a protocol avoids such nondeterminism, strand 
spaces should be suitable for modeling the generated system. 

It turns out that capturing this intuitive notion is not so easy. The restrictions 
that must be imposed to ensure that the generated strand system can be expressed 
as a strand space are nontrivial. To make them precise, we need a few definitions. 
For a class V of protocols, a joint protocol (P a : a s -4) is decomposable into 
protocols in V if for each agent a, we can find protocols P*,P%,.. . in V such that 
for all global states (cr a : a E A) we have P a {o- a ) = UiP^(a a ). In other words, 
a decomposable joint protocol can be understood as each agent running a set of 
protocols in a given class V. A deterministic protocol P is monotone if there exists 
events ei , e 2 , . . . (the sequence may be finite or infinite), such that for any local state 
a, we have P(cr) = {send(u)}, if ej+i = sent(u) and i is the largest index such that 
e\, . . . , ej € it; and P(a) = {no-op} otherwise. Informally, a deterministic protocol 
is monotone if the possible action at a state depends only on whether or not a given 
set of events has occurred. (Other events in the state does not affect the possible 
action.) For example, a monotone protocol may be of the form: send message u\, 
wait for message 112, send message U3. This is monotone in our sense, since u\ is 
sent not matter what, and 113 is sent if and only if 112 is received. This means that if 
certain messages are sent by a in one run of the protocol, they must be sent by a in 
all runs of the protocol. This must be true even if the protocol is run in parallel with 
other protocols (or other instantiations of the same protocol) . In a sense, monotone 
protocols don't "interact" ; if an agent is running multiple monotone protocols at 
the same time, they cannot keep each other from proceeding. 

It is not hard to show that neither of the two systems that we showed in Section 4 
were not representable as strand spaces are generated by monotone protocols. The 
first protocol (where there was a nondeterministic choice) is not itself monotone, 
since agent 2 nondeterministically chooses to send a message to agent 1 or agent 3. 
Nor can it be split into two deterministic monotone protocols, one to communicate 
with agent 1 and one to communicate with agent 3. Sending a message in one 
protocol would prevent a message being sent in another, and thus neither of the 
two deterministic protocols is monotone. Intuitively, the two protocols interact, 
something disallowed by monotonicity. Agent 2's protocol in the nack/ack example 
is not monotone cither. The obvious sequence of events for agent 2's protocol 
is sent(nack), recv(u), sent(ack), but this does capture the protocol, since in runs 
where 2 receives u before sending the nack message will not arise in the protocol 
corresponding to this sequence. 

The following theorem shows that joint protocols decomposable into monotone 
protocols can indeed be modeled by strand spaces: 

Theorem 6.2. If P is a joint protocol decomposable into monotone protocols, 
then there exists a strand space £ and an agent assignment A such that Ta(E) = 
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TZ{P,T P ,I ). 

Theorem 6.2 somewhat explains why the restrictions on the modeling power 
of strand spaces we pointed out in Section 4 are not an issue when analyzing 
security protocols of the kind typically found in the literature. These protocols are 
monotone. Note that the penetrator in strand spaces analyses also runs a protocol 
that is a union of monotone protocols: send a new message, send a concatenation of 
two received messages, send part of a received message. These monotone protocols 
correspond exactly to the so-called penetrator strands. 

7. DISCUSSION 

In this paper, we have investigated the relationship between strand spaces and 
multi-agent systems. Our results show that strand spaces are strictly less expressive 
than strand systems, a subclass of multi-agent systems that seems to capture the 
assumptions underlying strand spaces, in two quite distinct respects. The first is 
that strand spaces cannot express choice, the fact that exactly one of two possible 
behaviors is chosen. The second is that strand spaces have no notion of agents. 

How serious are these two issues? That depends, of course, on what we are trying 
to prove. Consider first the inability of strand spaces to express choice. In [Thayer 
et al. 1999b], the types of properties proved typically have the form "for all bundles 
in the strand space, X happens" . One way to interpret our result of Section 4 is 
that when a strand space is used to model a system, some of the bundles may not 
correspond to situations that actually arise in the system — those bundles can be 
seen as "impossible" bundles. This is not a problem, of course, if the property of 
interest in fact holds in the larger system. However, this may not always be the 
case. For example, we may well want to prove that a property like "agent 2 sends 
at most one message" holds in all executions of a protocol. If the protocol also has 
the property that agent 2 can send messages to either 1 or 3 (as is the case in the 
protocol described by the system IZi in Section 4), then the fact that agent 2 sends 
at most one message in every execution of the protocol will simply not be provable 
in the strand-space framework. On the other hand, as we saw in Section 6, if we 
consider only strand systems generated from protocols decomposable into monotone 
protocols, a fairly restrictive class of protocols, then we know that there is a strand 
space modeling the system that does not contain any such "impossible" bundles. 

The runs of a strand system can be viewed as a linearization of bundles, that 
is, an explicit ordering of the actions performed by agents in different bundles. 
THG suggest that results about strands can be imported to runs. For example, on 
page 226, they say "[Alternatively,] results about authentication protocols proved 
in a strand space context can be imported into the more usual linear models 
by linearizing the bundles." Our results point to subtleties in doing this. More 
precisely, while results about strands can be imported to results about runs (the 
runs that arise from translating the strand space to a system), the converse may 
not be true, depending on the expressiveness of the language. 

Turning to the issue of agents, the strand-space framework assumes that messages 
relayed between strands form the only means of exchanging information between 
strands. In other words, there is no shared state between strands. Therefore, 
for all intents and purposes, we can imagine that every strand is executed by a 
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different agent. On the other hand, if the same agent is executing two strands 
then, intuitively, it should know whatever is happening on both strands, without 
requiring communication between them. Furthermore, as soon as one wants to 
analyze the properties of strand spaces using belief and knowledge, agents to which 
the knowledge can be ascribed are needed. But even without bringing in knowledge, 
we need to be careful in interpreting security results proved under the assumption 
that different agents perform different strands. Clearly this assumption is not, 
in general, true. Ideally, security protocols should be proved correct under any 
"reasonable" assignment of agents to roles in the security protocol. At the very 
least it should be clear under which assignments the result holds. For instance, 
it is known that methods for the analysis of cryptographic protocols that fail to 
handle multiple roles for the same agent do not yield dependable results, as they 
may not reveal multi-role flaws. Snekkencs [1992] studies such flaws in the context 
of various cryptographic protocol logics. Multi-role flaws commonly arise when a 
cryptographic protocol logic implicitly assumes that if an agent a takes on a role 
A in some session, then he will not also take on another role B in some different 
session. This assumption is often a consequence of the identification of the notions 
of role and agent. Snckkcnes shows that reasonable protocols that can be proved 
correct under the assumption that an agent takes on the same role in all sessions 
are flawed if this assumption is dropped. Recent work on analyzing mixed protocols 
using strand spaces [Thayer et al. 1999a] shows that strand spaces can be extended 
to deal with what essentially amount to multi-role flaws. However, the approach 
often requires phantom messages (messages that are not actually exchanged during 
runs of the protocols) to carry state information between the different protocol 
strands corresponding to the same agent. 

Some of the topics we have explored in this paper appear in various forms in other 
work. For example, Cervesato et al. [2000] define a notion of parametric strand, 
essentially a strand where messages may contain variables. Parameterized strands 
correspond to roles, which are implicit in the original work on strand spaces. The 
work of Cervesato et al. also deals with the evolution of the system described by 
a strand space; they define a one-step transition between bundles. The transition 
is reminiscent of the one we describe in Section 3, but is restricted to extending 
a single strand at a time. (They also allow actions specific to their formalization, 
such as the instantiation of a strand from a parametric strand.) 

The set of runs in the system and the agent assignment are particularly significant 
when we consider specifications that are not run-based [Fagin et al. 1995; Halpern 
2000]. A run-based specification is checked on a per-run basis. For example, "agent 
2 sends at most 1 message" is a run-based specification: given a run, one can check 
whether the property holds for that run. A run-based specification holds for a set 
of runs if it holds for all runs in the set. In contrast, a knowledge-based specification 
[Fagin et al. 1995; Halpern 2000] such as "after running the protocol, agent 2 knows 
X" cannot be checked on a per-run basis, as it relies on the set of runs as a whole 
to verify the property. It holds if, in all runs in the system that agent 2 considers 
possible after running the protocol, X holds. Clearly it does not suffice to look at an 
individual run to determine whether such a property holds. Similarly, probabilistic 
specifications like "X holds in at most 3% of the runs" also depend on the whole 
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system and cannot be checked simply by examining individual runs. 

Typical specifications in the security literature are safety properties (in the sense 
of Alpern and Schneider [1985], "bad things don't happen"), and hence are run- 
based. Run-based specifications have the property that if they hold in a system, 
they hold in any subset of the runs of the system. It is "safe" to prove that 
a run-based specification holds of a strand space which translates to a superset 
of the intended system. Proving that the property holds for "impossible" runs 
does not hurt. This is not the case for properties that are not run-based. We 
believe that knowledge-based specifications, as well as probabilistic ones, will play 
a significant role in the design and analysis of security protocols. Fairness is a 
good example. A protocol is fair if intuitively no protocol participant can gain an 
advantage over other participants by misbehaving. In the context of fair exchange 
protocols [Asokan et al. 1998; Ben-Or et al. 1990; Shmatikov and Mitchell 2000], 
where two agents exchange one item for another, fairness ensures that either each 
agent receives the item it expects, or neither receives any information about the 
other's item. This notion of "not receiving any information" can be interpreted as 
meaning that no knowledge is gained. Our results suggest that strand spaces, as 
currently defined, will have difficulty handling such specifications. 

We should point out that it is straightforward to reason about knowledge in 
the context of strand spaces. For instance, Syverson [1999] describes a framework 
where the set of bundles in a strand space is viewed as a set of possible worlds. 
He associates with every strand in the strand space a principal, as we do, and uses 
this setting to provide a model for the knowledge of principals. As his framework 
is directly based on strand spaces, it suffers from the same expressiveness problems 
we pointed out in Section 4. This emphasizes that the problem we point out is 
not a problem of how to express knowledge in strand spaces. Rather, it is purely a 
problem with expressiveness of the models allowed in the strand-space framework. 

Despite these criticisms, we feel strand spaces are an important and useful for- 
malism. They can be used to provide simple, transparent proofs of run-based 
properties. Our results suggest it is worth exploring their limitations and the 
extent to which extensions of strand spaces (such as the extended strand spaces 
introduced here) retain these properties. 

A. PROOFS 

Theorem 3.1. fc(T,,A,A) is a strand system. 

PROOF. Let V a consist of all the histories r a (m) for r e 1Z(Y,,A,A). Let 1Z' be 
the strand system generated by the sequence (V a : a € A). To show that TZ(E, A, A) 
is a strand system, it clearly suffices to show that 1Z(E,A, A) = 1Z'. It is easy to 
check from the construction that every run in 1Z(T,, A, A) satisfies MP1-3, and thus 
is in W. This shows that ft(E, A, A) C K' . 

To show that TV C 1Z(E,A,A), let r be a run in TV . We know that r satisfies 
MP1-3, and that r a (m) G V a for all m > 0. We need to construct a chain C such 
that r a (m) — hist" l (C) for all a £ A. Unfortunately, we cannot simply construct the 
chain inductively, bundle by bundle. While this would work if different strands were 
associated with different agents, in general, making the correct choice of strands at 
each step (correct in the sense that the construction will not get stuck at a later 
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point) turns out to require arbitrary lookahead into the run. Roughly speaking, 
this is because it is not clear which combination of strands for agent a to choose to 
make up a's local state in a particular bundle. 

Instead, we proceed as follows. Intuitively, we want to determine for each agent 
which strand prefix to extend at every step of the chain. Once we have found for 
each agent an appropriate way of extending strand prefixes at every step, it is not 
hard to construct the bundles in the chain. 

We start with some definitions. Given a node (s, k) in S, let tr(s, k) be the prefix 
of tr(s) of length k. Given a bundle B and an agent a, let 

Tr a (B) = {{tr(s, k) : (s, k) e Mb, (a, k + 1) $ Mb, k > 1, A(s) = a}}, 

where we use the {{}} notation to denote multisets. Thus, Tr a (i3) is the multiset 
consisting of all the maximal prefixes of strands associated with a having at least 
one node in B. Note that Tr a (B) is a multiset, not a set. It is quite possible that 
there are distinct nodes (s,k) and (s\k) in Mb such that tr(s, k) — tv(s',k) and 
(s, k+ 1), (s', k + 1) $lB. In this case, tr(s, k) is listed at least twice in the multiset. 
Given a multiset M of sequences, let B a (M) = {B : Tr a (B) = M}. That is, B a (M) 
consists of all bundles where the actions performed are precisely those specified by 
the sequences in M. 

For each agent a, we inductively construct the following tree, whose vertices 
are labeled by multisets of sequences. The root is labeled by the empty multiset. 
Suppose a vertex u at level m (that is, at distance m from the root) is labeled 
with the multiset M. If r a (m + 1) = r a (m), then u has a unique successor, also 
labeled with M. If, on the other hand, r a (m + 1) = r a (m) ■ e for some event e, 
then let t be the term corresponding to e (i.e., if e is sent(tt) then t is +u, and if 
e is recv(u) then t is —u). For each sequence S in M, let Ms be the multiset that 
results from replacing S in M by S-t. We construct a successor of M labeled Ms if 
B a (Ms) 7^ 0. (If B a {Ms) 7^ and there are several occurrences of S in M, then we 
construct one successor for each occurrence.) In addition, if B a {MU{{{t)}}) ^ 0, we 
construct a successor of u labeled M U {{(*}}}• Note that, for all multisets labeling 
a level-m vertex, the set of events specified by the sequences in M are precisely 
those performed in r a (m). 

Our goal is to find an infinite path in this tree. That such a path exists is 
immediate from Konig's Lemma, once we show that the tree has an infinitely many 
vertices, each with finite outdegree. 

An easy induction shows that a multiset at level m has at most m elements 
(counted with multiplicity). Moreover, it is immediate from the construction that 
the outdegree of a vertex on the tree is at most one more than the cardinality of 
the multiset labeling it. Thus, it follows that the outdegree of each vertex is finite. 

Showing that the tree has an infinite number of vertices is also relatively straight- 
forward. We show by induction on m that for all times to, if r a (m) = hist k a {C) 
and C = Bo i — > B\ i — > . . . , then there is a vertex at level to in the tree labeled 
by the multiset Tr a (_Bfc). The base case is immediate, since Tr a (0) = {{}} is the 
label of the root of the tree. Now suppose that the result holds for to; we prove 
it for m + 1. Suppose that r a (m + 1) = hist^(C). Then there must be some 
kl < k such that r a (m) = hist^ (C). Moreover, either hist* (C) = hist k a {C), 
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in which case r a (m) = r a (m + 1), or hist a (C) is the result of appending one 
event, say e, to hist a (C) and r a (m + 1) is the result of appending e to r a (m). 
If C = Bq \—> B\ h-> . . . then, by the induction hypothesis, there is a vertex it of the 
tree at level m labeled by M = Tr If r a (m) = r a (m+l), then M = Tr a (B fe ) 

is also the label of a successor of u. Otherwise, if M' = Tr a (Bk), it is clear that M' 
is the result of extending one of the strands in M by one node (corresponding to 
event e). Thus, M' is the label of some successor of u. This completes the inductive 
step. Since r is in 1Z' , it follows that, for all m, there exists some chain C and k 
such that r a (m) = hist a (C). Thus, there are infinitely many vertices in the tree. 

It now follows from Konig's Lemma that there is an infinite path in the tree. 
Thus, it follows that, for every agent a, there exists an infinite sequence Mq , Mf , . . . 
of multisets, such that B a (M£) ^ for all k. We now construct a chain C = B$ ^ 
B\ by building the bundle Bk from the traces in {M£ : a ^ A}. For each 

a and k, there is a bundle B^ such that Tr a (£>£) = M£. Let Bk consists of the 
nodes in U ae ^BJJ (so that the strands associated with a in Bk are precisely those 
associated with a in adding — > edges between corresponding nodes according 
to MP2 in the run r. That is a bundle follows from the fact that every node 
appearing in a multiset M£ corresponds to an event in r a (k), by construction. It 
should be clear that for all k, Bk i— > Bk+i 1 since for each agent, the traces are 
extended by a single node, and we can pick the bijection / to map strands from Bk 
to Bk+i so that the corresponding sequences in and M£ +1 match. 

A straightforward induction argument shows that the chain C = Bq h- > B\ i— ► . . . 
is such that r a (m) = hist" l (C) for all m > 0. □ 

Theorem 3.2. Every global state of 1Z(Y,,Y,, id) is message-equivalent to a 
bundle of S o/ finite height, and every bundle of E o/ finite height is message- 
equivalent to a global state oflZ(T<, S, id). 

We first prove two lemmas about chains. 

Lemma A.l. In a chain C — Bq B\ ^ B2 <— > . . . , the height of B n is at most 
In. 

Proof. We show this by induction on n. Clearly, the height of Bo is 0. Assume 
the result holds for the bundle B m . Consider the bundle B m+ i. Since B m 1— > 
B m+ i, there is a bijection / such that B m Qf B m+ i. Consider a causal path 
n\ ~»- ri2 ~> . . . in B m+ i, where ~> is either — * or =>. We claim that it contains at 
most two "new nodes" , that is, it contains at most two nodes in B m+1 not of the 
form (f(s),i) for some node (s,i) in B m ; moreover, the "new" nodes must come at 
the end of the causal path. To see this, suppose that n is a new node on the path 
and n' for some n' on the path. If n' is not a new node, it cannot be the case 
that n — > n' (for otherwise, by B2, n would not be a new node), and it cannot be 
the case that n => n' (for otherwise, by B3, n would not be a new node). Thus, 
n' must be a new node. It follows that all the new nodes on the causal path must 
follow the old nodes on the path. Now suppose that there are three new nodes on 
the path; then it must be the case that there are three new nodes n, n' , n" such 
that n ~> n' n" '. It cannot be the case that n => n', for then n and n' are both 
on the same strand, contradicting the assumption in the construction that at most 
one new event is added per agent. Similarly, it cannot be the case that n' => n". 
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Thus, we must have n — > n' — > n". But then term(n') = —u for some message u, 
and it cannot be the case that n' — > n". Thus, it follows that the causal path has at 
most two new nodes. Since, by the induction hypothesis, there are at most 2m + 1 
"old" nodes on the path, the path has at most 2m + 3 nodes and hence length at 
most 2m + 2, as desired. □ 

Note that Lemma A.l does not depend on the assumption that each strand is 
associated with a distinct agent; the following lemma does. 

Lemma A. 2. If B is bundle of finite height, then there exists bundles B\, . . . ,Bk 
for some k such that Bq B\ . . . i— ► Bk i— > B. 

PROOF. First note that if n is the last node on a causal path in a bundle B of 
maximum length, then either term(n) = —it for some u or term(n) = +u for some 
u and there is no corresponding receive node in B. 

We now prove the result by induction on the height of B, that is the length of 
the longest causal path. Clearly, if the height of B is 0, then B = B . Otherwise, 
let B' be the bundle derived from B in the following way: for every strand s£S, 
if the last term of the prefix of s in B is — u for some u or if the last term is +u and 
there is no corresponding — u in B, then let B 1 contain the prefix of s that consists 
of every node in s that is in B but the last one; otherwise, let B' contain the same 
prefix of s as B. Clearly, B' i— > B. (Here we need the assumption that each strand 
is associated with a different agent to ensure that in going from B' to B, each agent 
performs at most one action.) Moreover, by the initial observation, B' does not 
include the last node of any causal path of maximum length in B. Therefore, the 
height of B' is one less than the height of B. Applying the induction hypothesis, 
we get bundles B >— > B\ ^> . . . ^> Bk <— > B' ^ B , proving the result. □ 

PROOF. (Theorem 3.2) If (cr s : s e S) is a global state in 7£(£, S, id), then there 
must be some chain C = Bq i— > B\ i— > . . . and time m such that r c (to) = (a s : 
s e E). By construction, rf(m) = hist™(C), for each strand s e S. (Recall that 
A = S; we are associating each strand with a different agent.) Moreover, hist™(C) 
is just the sequence of events performed in strand s in B m (that is, the prefix of tr(s) 
in B m , under the standard correspondence between terms and events). Therefore, 
(a s : s E S) is message-equivalent to B m . Moreover, by Lemma A.l, B m has finite 
height. 

Conversely, given a bundle B of finite height, by Lemma A. 2, there must exist 
to and bundles B , . . . , B m such that B a . . . B m B. Thus, C = Bq i— > 
. . . *—> B m B B B . . . is a chain. Let r c be the run in 1Z(E, S, id) 
corresponding to C. By the same argument as above, r c (m + 1) is message- 
equivalent to B. □ 

Theorem 4.1. There is no agent assignment A and A-history preserving 
translation T from strand spaces to strand systems such that the strand system TZ\ 
is in the image of T . 

PROOF. By way of contradiction, suppose that S is a strand space, A is an agent 
assignment, T is a translation which is A-history preserving, and T(E) = 1Z\. Since 
T is A-history preserving, the presence of n ensures that there is a bundle B\ in S 
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such that associated with agent 2 in B\ is either a strand with prefix (+u, —v) or 
strands with prefix (+u) and (—v), and associated with agent 1 in B\ there is either 
a strand with prefix (—it, +v) or strands with prefix (— u) and (+v). Similarly, the 
presence of ri in TZ\ guarantees that there is a bundle B2 in E such that associated 
with agent 2 in B2 is either a strand with prefix (+x, —y) or strands with prefix 
(+x) and (—y), and associated with agent 3 is either a strand with prefix (—a;, +y) 
or strands with prefix (— x) and (+y). In all those cases, there must be a bundle 
containing nodes with the terms +u, —u, +v, —v, +x, —x, +y, and — y. The nodes 
+u, —v, +x, and — y are all on strands associated with agent 2. Since T is A-history 
preserving, there must be a run in 7?.! that contains four events for agent 2. This 
is a contradiction. □ 

Theorem 5.1. TZ(S,A,A, Conf) is a strand system. 

Proof. The proof is similar to that of Theorem 3.1. We simply need to check 
that when we are proving the TZ' C TZ(Yi,A, A, Conf) inclusion and constructing 
each bundle Bk in the chain C from the collection of traces {M£ : a G A}, each 
bundle is in fact a bundle in the extended strand space sense. This follows from 
the fact that we can choose for each agent a the strands making up the bundle in 
such a way that none of the strands conflict, since we assumed that B a (M%) ^ 
for M%, and therefore there must exist strands with the appropriate prefixes that 
do not conflict. □ 

Theorem 5.2. Given a strand system TZ over A, there exists an extended strand 
space (E, A, A, Conf) such that T A (T,, A, A, Conf) = TZ. 

Proof. Let V a be a set of histories for each agent a, such that TZ is generated 
by the sequence (V a : a G A). Without loss of generality, assume that each V a 
is minimal, in the sense that every history in V a actually appears in some run of 
TZ. Define the strand space E = {sjj : a G A, h G V a } with a trace mapping 

tr(si ei '"' ,efc ^) = (ti, . . . ,tk), where if a is sent(u), then U is +u, and if a is recv(u), 
then ti is — u. 

We define the conflict relation Conf C S x E to ensure that bundles include 
only one strand per agent. We set Conf (s ^, sjj ) if and only if h ^ h' . Intuitively, 
since a bundle in (S, A, A, Conf) can include only one strand per agent, and since 
strands correspond to possible local states, bundles correspond to global states of 
the system TZ. 

We show that Ta maps (E, A, A, Conf) to TZ, via the agent assignment A(s^) = a. 
This is a direct consequence of the proof of Theorem 5.1. We know that TZ is 
generated by (V a : a G A). We also know that Ta(E,.A, A, Conf) is generated 
by (V^ : a e A), where V' a = {hist™(C) : C G Chains (E, A, A, Conf), m > 0}. 
Therefore, to show that Ta(E, A, A, Conf) = TZ, it is sufficient to show that V a = V' a 
for all a G A. 

Fix an agent a G A. We first show that V a C V' a . Let Hea history in V a , and 
let r G TZ and to > be such that r a (m) = h. For each k < m, define B k to be 
the bundle formed by the strands {sa"^ : a G A}, with edges between nodes on 
different strands given by MP2. (That Bk is a bundle follows from the properties 
MP1-3 on r.) It is easy to see that Bk 1— > Bk+i (for k = 0, . . . , to — 1). Let C be 
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the chain Bo i— ► . . . \—> B. m i— ► B. m i— ► B. m i— ► . . . . Then hist™{C) is just the set 
of events corresponding to strand s^^—s^, which is just h. Therefore, h G V' a . 
Showing that V a C V a , is similar. Let h be a history in V^, so that there exists a 
chain C with h = hist™{C) for some m > 0. By construction, there exists a run 
r c e TZ such that r^(m) = hist™{C) = h. Thus, /i is a local state of some run in 
72, and h G V a . □ 

Theorem 6.1. TZ(P,t p , I ) is a strand system. 

Proof. Let 72 be 7Z(P, rp, 7 ), and let V a consists of all the histories r a (m) for 
r G TZ. Let 72.' be the strand system generated by (V a : a E A). It is sufficient to 
show that for all runs r, r E TZ iff r E TZ' . 

First, assume that r G 72, that is, that r is consistent with P given rp, and that 
r(0) G To- By construction, r a (m) G for all a and all m, and hence r satisfies 
MP1. By definition of Tp, if recv(w) G r a (m), then sent(u) G rb(m) for some b, and 
hence r satisfies MP2. Finally, r a (0) is the empty sequence because r(0) G In, and 
by definition of rp, r a (m + 1) is either r a (m) or the result of appending one event 
to r a (m), and hence r satisfies MP3. Therefore, r G TZ' . 

Second, assume that r G 72', that is, r satisfies MP1-3. The fact that r(0) G In is a 
consequence of MP3: r a (0) is the empty sequence for all a. To show consistency with 
P given rp, we exhibit, for any m, a joint action a such that r(m+l) G rp(a)(r(m)). 
Let r(m) = {a a : a G A), and r(m + 1) = (a' a : a G A). For any a G ^4, if cr„ = er , 
let a a = no-op; if a' a = a a ■ sent(w), let a a = send(w); if a' a = a a ■ recv(u), let 
a a = no-op (by MP1 and MP2, we know that there must exist a sent(u) in a' b for 
some b). We can check that a = (a a : a <E A) has the required property. Hence, r 
is consistent with P given rp, and r(0) G Io, and therefore r G 72. □ 

Theorem 6.2. If P is a joint protocol decomposable into monotone protocols, 
then there exists a strand space T, and an agent assignment A such that Ta(S) = 
72(P,rp,/ ). 

PROOF. By definition, for all agents a G A, there exist monotone protocols 

P„ , P%, For each such protocol P*, we can find events e l al ,e z a2 , ■ ■ ■ as in the 

definition. Let |P*| denote the length of this sequence (which could be oo). 

Construct the strand space £ = {s^ n : a G >4, i > 1, 1 < n < |P*|} U {s" : a G 
i,u£ M}. The strand corresponds to a prefix of length n of the events in the 
sequence for P*. More precisely, its trace mapping is a trace mapping tr(s^' n ) = 
(ti,... ,t n ), where for all 1 < j < n, if e^j = sent(u), then is +u, and if 
e a,j = recv(w), then tj is — u. The strands of the form s" are simple strands 
corresponding to receiving message it; there is one such strand for each message 
u G M, and for each agent a e A. The trace mapping is simply tr(s") = (— u). 
(These strands will be used to account for unsolicited messages delivered to agent 
a.) The agent assignment A is simply defined by taking A{s]f l ) = a and A(s^) = a, 
as expected. 

Recall from Section 3 that Ta(E,A,A) maps to the set of runs {r c : C G 
Chains(T,, A, A)}. We show that this set of runs is just 72(P, rp, Jo)- 

First, let C be a chain in Chains(T,, A, A). Recall that r c is the run with r c (m) = 
(hist™(C) : a G A). To show that r c is in TZ{P,Tp,I$), it suffices to show that 
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r c is consistent with P given tp, and that r c (0) G 7n. The latter is an immediate 
consequence of the fact that r^(0) = hist° a (C) = (}. The former requires showing 
that for all m, we can find a joint action a = (a a : a £ A) such that a a G 
P a (r^(m)) and r c (m + 1) G rp(a)(r c (m)). Fix m. For an agent a G ^4, if 
hist™(C) = hist" l+1 (C), take a a = no-op. Otherwise, observe that by construction 
of the strand space E, there exist Ji , J2 , - - - such that Ui-E 1 * - 4 C hist™(C), and 
ftzsC +1 (C) - hisC(C) is either e 4 aji+1 for some i, in which case, we take a a = 
send(w) if e l a j. +1 = sent(w), and a a = no-op otherwise; if /izs£™ +1 (C) — hist™(C) = 
{recv(u)} for some u, we take a = no-op. Finally, take a = (a a : a G A). It is 
not hard to check that this joint action has the desired property. For example, if 
hist™ +1 {C)-hist™{C) = {sent(u)}, thcna a = send(w). If hist™ +1 {C)-hist™{C) = 
{recv(u)}, then a a = no-op, and by the bundle properties, there must have been a 
corresponding send appearing in hist™ +1 (C) for some other b. In both cases, using 
strand transition function rp gives us the right result. Hence r c G TZ(P, Tp,I ) for 
C G Chains(E,A,A). 

Second, consider a run r G TZ(P,tp,Iq). We need to construct a chain C G 
Chains(E, A, A) such that r — r c . However, for the same reasons as in the proof 
of Theorem 3.1, we cannot simply define the chain inductively. We use the same 
construction as in the proof of Theorem 3.1, which tells us how to construct a 
chain; essentially, the chain is constructed by "picking" the right strands from 
bundles. However, to apply the construction, we need to verify a few facts. From 
Theorem 6.1, we know that lZ(P,Tp,Io) is a strand system, generated by (V a : 
a G ^4), where V a = {r a (m) : a G A, r G TZ(P, Tp, in)}- The construction in the 
proof of Theorem 3.1 relied on the fact that to every history h G V a , there was a 
bundle in X for which every event associated with a strand of agent a corresponded 
to an event in h. The same holds in our setting: observe that h G V a iff there 
exist ji, j 2 , ■ ■ ■ such that Uj.E* - ( C h and h — \JiE % a -. is made up exclusively of 
recv events, by definition of Tp and the fact that P is decomposable into monotone 
protocols. For any such history h there is a bundle B with the following strand 
prefixes corresponding to agent a: for each i, if ji = 0, then no node of s^'" is in 
B (for any n), while if ji — k, then the first k nodes of (for any n > k) are 
in B; the events in h unaccounted for by these strand prefixes are recv events, for 
which corresponding strands of the form s" are in B. (Whatever other strands are 
in B are unimportant, so simply take the downward closure of the given strand 
prefixes.) Therefore, we can apply the construction in the proof of Theorem 3.1 to 
get a chain C = Bq h- > B\ i— ► . . . with the property that r a {m) = hist™(C). Hence, 
r = r c . In other words, r G Ta(S, A, A). □ 



ACKNOWLEDGMENTS 

We would like to thank Andre Scedrov for pointing us to fair exchange protocols 
as a likely source of knowledge-based specifications in security protocols. Vicky 
Weissman and Kevin O'Neill read a draft of this paper and provided numerous 
helpful suggestions. 



ACM Journal Name, Vol. V, No. N, Month 20YY. 



26 • J. Y. Halpern and R. Pucella 



REFERENCES 

Alpern, B. and Schneider, F. B. 1985. Defining liveness. Information Processing Letters 21, 
181-185. 

ASOKAN, N., Shoup, V., and Waidner, M. 1998. Asynchronous protocols for optimistic fair 

exchange. In Proceedings of the IEEE Symposium on Research in Security and Privacy. IEEE 

Computer Society Press, 86-99. 
Ben-Or, M., Goldreich, O., Micali, S., and Rivest, R. L. 1990. A fair protocol for signing 

contracts. IEEE Transactions on Information Theory 36, 1, 40-46. 
Burrows, M., Abadi, M., and Needham, R. M. 1990. A logic of authentication. ACM 

Transactions on Computer Systems 8, 1, 18-36. 
Busi, N. and Gorrieri, R. 1994. Distributed conflicts in communicating systems. In ECOOP 

Workshop. Lecture Notes in Computer Science, vol. 924. Springer, 49-65. 
Cervesato, I., Durgin, N., Mitchell, J., Lincoln, P., and Scedrov, A. 2000. Relating strands 

and multiset rewriting for security protocol analysis. In Proceedings of the 13th IEEE Computer 

Security Foundations Workshop. IEEE Computer Society Press, 35-51. 
Crazzolara, F. and Winskel, G. 2001. Events in security protocols. In Proceedings of the 

Eighth ACM Conference on Computer and Communications Security. ACM Press, 96—105. 
Fagin, R., Halpern, J. Y., Moses, Y., and Vardi, M. Y. 1995. Reasoning about Knowledge. 

The MIT Press. 

Gray III, J. W. and Syverson, P. F. 1998. A logical approach to multilevel security of 

probabilistic systems. Distributed Computing 11, 2, 73-90. 
Grove, A. J. 1995. Naming and identity in cpistcmic logic II: a first-order logic for naming. 

Artificial Intelligence 74, 2, 311-350. 
Grove, A. J. and Halpern, J. Y. 1993. Naming and identity in cpistemic logics, Part I: the 

propositional case. Journal of Logic and Computation 3, 4, 345-378. 
Halpern, J. Y. 2000. A note on knowledge-based programs and specifications. Distributed 

Computing 13, 145-153. 

Halpern, J. Y., Moses, Y., and Tuttle, M. R. 1988. A knowledge-based analysis of zero 
knowledge. In Proc. 20th ACM Symp. on Theory of Computing. 132-147. 

McLean, J. 1994. Security models. In Encyclopedia of Software Engineering, J. Marciniak, Ed. 
Wiley Press. 

Palamidessi, C. 1997. Comparing the expressive power of the synchronous and the asynchronous 

pi-calculus. In Conference Record of the Twenty-Fourth Annual ACM Symposium on Principles 

of Programming Languages. ACM Press, 256-265. 
Shmatikov, V. AND Mitchell, J. C. 2000. Analysis of a fair exchange protocol. In Seventh 

Annual Symposium on Network and Distributed System Security (NDSS 2000). 119—128. 
Snekkenes, E. 1992. Roles in cryptographic protocols. In Proceedings of the 1992 IEEE 

Symposium on Security and Privacy. IEEE Computer Society Press, 105-119. 
Stubblebine, S. AND Wright, R. 1996. An authentication logic supporting synchronization, 

revocation, and recency. In 3rd ACM Conference on Computer and Communications Security. 

ACM Press. 

Syverson, P. 1990. A logic for the analysis of cryptographic protocols. NRL Report 9305, Naval 
Research Laboratory. 

Syverson, P. 1999. Towards a strand semantics for authentication logic. Electronic Notes in 

Theoretical Computer Science 20. 
Thayer, F. J., Herzog, J. C, and Guttman, J. D. 1999a. Mixed strand spaces. In Proceedings 

of the 12th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press. 
Thayer, F. J., Herzog, J. C, and Guttman, J. D. 1999b. Strand spaces: Proving security 

protocols correct. Journal of Computer Security 7, 2/3, 191-230. 

??? 



ACM Journal Name, Vol. V, No. N, Month 20YY. 



